cadlkid
asked on
windows 7 logoff
In my environment (Windows 7 Pro on Server 2003 ad domain) it is not desirable to display the "Logoff", "Shutdown", "Restart", "hibernate" or "Sleep" buttons in the start menu.
If I enable the following GPO, the logoff button disappears like desired:
- User Configuration > Administrative Templates > Start Menu and Taskbar -"Remove Logoff on the Start Menu"
This is great, but...
If I also enable the following GPO along with the above policy, the logoff button reappears:
-User Configuration > Administrative Templates > Start Menu and Taskbar -"Remove and Prevent access to the Shut Down, Restart, Sleep and Hibernate Commands"
No so good! I have also tried adding the "NoClose" and "StartMenuLogoff" registry entries to the HKEY_CURRENT_USER\Software
When both are configured together, I have attached a photo of what the start menu looks like.
I will grant max points for whoever can help me successfully remove all of the said entries from the start menu in Windows 7 Pro. - I have been working on this way too long!
Thanks in advance.
Logoff.jpg
If I enable the following GPO, the logoff button disappears like desired:
- User Configuration > Administrative Templates > Start Menu and Taskbar -"Remove Logoff on the Start Menu"
This is great, but...
If I also enable the following GPO along with the above policy, the logoff button reappears:
-User Configuration > Administrative Templates > Start Menu and Taskbar -"Remove and Prevent access to the Shut Down, Restart, Sleep and Hibernate Commands"
No so good! I have also tried adding the "NoClose" and "StartMenuLogoff" registry entries to the HKEY_CURRENT_USER\Software
When both are configured together, I have attached a photo of what the start menu looks like.
I will grant max points for whoever can help me successfully remove all of the said entries from the start menu in Windows 7 Pro. - I have been working on this way too long!
Thanks in advance.
Logoff.jpg
Use policy to get as far as you can and then use profiles to get the rest of the way. I use this combination successfully all of the time.
Are you trying to remove the logoff button altogether?
This is all a bit moot when the users have access to the run line where they could execute cmd and then the shutdown command mind, you might want to consider removing that too.
You will not be able to get everything you want removed with policy. In 2008 the .adm files are now .admx and the client side extensions will not be available. You can use 2003 and get as far as you have, then you will need to use a profile and registry hacks to ge the rest of the way. You can set up a workstation in your domain and install the client side extensions there and get access to the new policies available on 2008 server.
Officially the correct answer would be update your domain to a 2008 ad domain however it may not be suitible for your situation.
So I've heard of a product from a company I use, I know it's not a free solution but I've heard good things about it....
http://www.faronics.com/en/Products/WINSelect/WINSelectKeyFeatures.aspx
So I've heard of a product from a company I use, I know it's not a free solution but I've heard good things about it....
http://www.faronics.com/en/Products/WINSelect/WINSelectKeyFeatures.aspx
ASKER
Experts - Thanks for all of your help thus far!
1. I am confused - If I manually configure the the registry values that "mavalpha" mentioned and it does not remove the "Logoff", "Shutdown", "Restart", "hibernate" or "Sleep" buttons in the start menu - How would using the .admx templates in server 2008 be any different? (don't the GPO's just change these same reg keys?)
2. I am using a Windows 7 computer on my server 2003 domain - Shouldn't I already have these templates because I am using win7 to configure and manage the GPO's?
I will also try today using a customized profile in conjunction with policy and/or registry settings.
Thanks again!
1. I am confused - If I manually configure the the registry values that "mavalpha" mentioned and it does not remove the "Logoff", "Shutdown", "Restart", "hibernate" or "Sleep" buttons in the start menu - How would using the .admx templates in server 2008 be any different? (don't the GPO's just change these same reg keys?)
2. I am using a Windows 7 computer on my server 2003 domain - Shouldn't I already have these templates because I am using win7 to configure and manage the GPO's?
I will also try today using a customized profile in conjunction with policy and/or registry settings.
Thanks again!
Use gpedit.msc and make your changes with local policy on the win 7 box and create the profile locally.
ASKER
Crandell - Can you please expand on this explanation? Not sure what you mean by creating the profile locally with local policy?
Forgive my idiocy.
Forgive my idiocy.
log on with a user with admin privs. configure your local group policy editor to the desktop you want to see. Then logoff and logon with another admin account. Copy the profile you created to the default users profile. All users that log on now for the first time will see the profile you created.
1. I am confused - If I manually configure the the registry values that "mavalpha" mentioned and it does not remove the "Logoff", "Shutdown", "Restart", "hibernate" or "Sleep" buttons in the start menu - How would using the .admx templates in server 2008 be any different? (don't the GPO's just change these same reg keys?)
Yes/No, Not exactly, new registry information is placed into the computers registry after configuring your GPO, these are more or less an override for the existing registry items. However, some are directly overwritten.
2. I am using a Windows 7 computer on my server 2003 domain - Shouldn't I already have these templates because I am using win7 to configure and manage the GPO's?
No
A server 2003 domain can only effectively manage policies that have been grandfathered to new OS, so if in Win7 a new policy has been added to the OS then Server 2003 will not be able to configure it because it won't know what the new configurable policies are for that OS, but Server 2008 would be able to manage those new available policies. Which is why it's important to update the functional level of your AD Domain just like you do your computers (if you don't just replace those).
Yes/No, Not exactly, new registry information is placed into the computers registry after configuring your GPO, these are more or less an override for the existing registry items. However, some are directly overwritten.
2. I am using a Windows 7 computer on my server 2003 domain - Shouldn't I already have these templates because I am using win7 to configure and manage the GPO's?
No
A server 2003 domain can only effectively manage policies that have been grandfathered to new OS, so if in Win7 a new policy has been added to the OS then Server 2003 will not be able to configure it because it won't know what the new configurable policies are for that OS, but Server 2008 would be able to manage those new available policies. Which is why it's important to update the functional level of your AD Domain just like you do your computers (if you don't just replace those).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
To remove Logoff:
HKEY_CURRENT_USER\Software
DWORD: StartMenuLogOff, value=1
To remove Switch user:
HKEY_CURRENT_USER\Software
DWORD: HideFastUserSwitching, value=1
To remove Lock:
HKEY_CURRENT_USER\Software
DWORD: DisableLockWorkstation, value=1
To remove Shutdown:
HKEY_CURRENT_USER\Software
DWORD: NoClose, value=1